SwCfg book Catalyst 3550 Multilayer Switch Software Configuration Guide Cisco IOS Release 12 2(25)SEE February 2006 Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134 1[.]
Catalyst 3550 Multilayer Switch Software Configuration Guide Cisco IOS Release 12.2(25)SEE February 2006 Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-8565-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0502R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses Any examples, command display output, and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental Catalyst 3550 Multilayer Switch Software Configuration Guide Copyright © 2006 Cisco Systems, Inc All rights reserved C O N T E N T S Preface iii Audience Purpose iii iii Conventions iv Related Publications v Obtaining Documentation vi Cisco.com vi Product Documentation DVD vi Ordering Documentation vi Documentation Feedback vi Cisco Product Security Overview vii Reporting Security Problems in Cisco Products vii Obtaining Technical Assistance viii Cisco Technical Support & Documentation Website Submitting a Service Request ix Definitions of Service Request Severity ix Obtaining Additional Publications and Information CHAPTER Overview viii ix 1-1 Features 1-1 Ease of Deployment and Ease of Use 1-1 Performance 1-2 Manageability 1-3 Redundancy 1-3 VLAN Support 1-4 Security 1-5 Quality of Service (QoS) and Class of Service (CoS) 1-6 Layer Support 1-7 Monitoring 1-8 Power over Ethernet Support for the Catalyst 3550-24PWR Switch 1-8 Management Options 1-9 Management Interface Options 1-9 Advantages of Using Network Assistant and Clustering Switches 1-10 Catalyst 3550 Multilayer Switch Software Configuration Guide OL-8565-01 iii Contents Network Configuration Examples 1-10 Design Concepts for Using the Switch 1-11 Small to Medium-Sized Network Using Mixed Switches 1-14 Large Network Using Only Catalyst 3550 Switches 1-16 Multidwelling Network Using Catalyst 3550 Switches 1-17 Long-Distance, High-Bandwidth Transport Configuration 1-19 Where to Go Next CHAPTER 1-19 Using the Command-Line Interface Cisco IOS Command Modes Getting Help 2-1 2-1 2-3 Abbreviating Commands 2-4 Using no and default Forms of Commands Understanding CLI Messages Using Configuration Logging 2-4 2-5 2-5 Using Command History 2-5 Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-6 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-8 Searching and Filtering Output of show and more Commands Accessing the CLI CHAPTER 2-9 2-9 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process 3-1 3-1 Assigning Switch Information 3-2 Default Switch Information 3-3 Understanding DHCP-Based Autoconfiguration 3-3 DHCP Client Request Process 3-4 Configuring DHCP-Based Autoconfiguration 3-5 DHCP Server Configuration Guidelines 3-5 Configuring the TFTP Server 3-6 Configuring the DNS 3-6 Configuring the Relay Device 3-6 Catalyst 3550 Multilayer Switch Software Configuration Guide iv OL-8565-01 Contents Obtaining Configuration Files 3-7 Example Configuration 3-8 Manually Assigning IP Information 3-10 Checking and Saving the Running Configuration 3-10 Modifying the Startup Configuration 3-11 Default Boot Configuration 3-11 Automatically Downloading a Configuration File 3-11 Specifying the Filename to Read and Write the System Configuration Booting Manually 3-12 Booting a Specific Software Image 3-13 Controlling Environment Variables 3-14 3-12 Scheduling a Reload of the Software Image 3-16 Configuring a Scheduled Reload 3-16 Displaying Scheduled Reload Information 3-17 CHAPTER Configuring Cisco IOS CNS Agents 4-1 Understanding Cisco Configuration Engine Software 4-1 Configuration Service 4-2 Event Service 4-3 NameSpace Mapper 4-3 What You Should Know About the CNS IDs and Device Hostnames ConfigID 4-3 DeviceID 4-4 Hostname and DeviceID 4-4 Using Hostname, DeviceID, and ConfigID 4-4 Understanding Cisco IOS Agents 4-5 Initial Configuration 4-5 Incremental (Partial) Configuration Synchronized Configuration 4-6 4-3 4-6 Configuring Cisco IOS Agents 4-6 Enabling Automated CNS Configuration 4-6 Enabling the CNS Event Agent 4-8 Enabling the Cisco IOS CNS Agent 4-9 Enabling an Initial Configuration 4-9 Enabling a Partial Configuration 4-11 Upgrading Devices with Cisco IOS Image Agent 4-12 Prerequisites for the CNS Image Agent 4-12 Restrictions for the CNS Image Agent 4-12 Displaying CNS Configuration 4-13 Catalyst 3550 Multilayer Switch Software Configuration Guide OL-8565-01 v Contents CHAPTER Clustering Switches 5-1 Understanding Switch Clusters 5-1 Cluster Command Switch Characteristics 5-2 Standby Cluster Command Switch Characteristics 5-3 Candidate Switch and Member Switch Characteristics 5-3 Planning a Switch Cluster 5-4 Automatic Discovery of Cluster Candidates and Members 5-4 Discovery Through CDP Hops 5-5 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices 5-5 Discovery Through Different VLANs 5-6 Discovery Through Different Management VLANs 5-7 Discovery Through Routed Ports 5-7 Discovery of Newly Installed Switches 5-8 HSRP and Standby Cluster Command Switches 5-10 Virtual IP Addresses 5-11 Other Considerations for Cluster Standby Groups 5-11 Automatic Recovery of Cluster Configuration 5-12 IP Addresses 5-13 Hostnames 5-13 Passwords 5-13 SNMP Community Strings 5-14 TACACS+ and RADIUS 5-14 console For instructions on configuring the switch for a Telnet session, see the “Disabling Password Recovery” section on page 6-5.Catalyst 1900 and Catalyst 2820 CLI Considerations 5-14 Using SNMP to Manage Switch Clusters CHAPTER Administering the Switch 5-15 6-1 Managing the System Time and Date 6-1 Understanding the System Clock 6-1 Understanding Network Time Protocol 6-2 Configuring NTP 6-3 Default NTP Configuration 6-4 Configuring NTP Authentication 6-4 Configuring NTP Associations 6-5 Configuring NTP Broadcast Service 6-6 Configuring NTP Access Restrictions 6-8 Configuring the Source IP Address for NTP Packets Displaying the NTP Configuration 6-11 6-10 Catalyst 3550 Multilayer Switch Software Configuration Guide vi OL-8565-01 Contents Configuring Time and Date Manually 6-11 Setting the System Clock 6-11 Displaying the Time and Date Configuration 6-12 Configuring the Time Zone 6-12 Configuring Summer Time (Daylight Saving Time) 6-13 Configuring a System Name and Prompt 6-14 Default System Name and Prompt Configuration Configuring a System Name 6-15 Understanding DNS 6-15 Default DNS Configuration 6-16 Setting Up DNS 6-16 Displaying the DNS Configuration 6-17 Creating a Banner 6-17 Default Banner Configuration 6-17 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 6-19 6-15 6-17 Managing the MAC Address Table 6-19 Building the Address Table 6-20 MAC Addresses and VLANs 6-20 Default MAC Address Table Configuration 6-21 Changing the Address Aging Time 6-21 Removing Dynamic Address Entries 6-21 Configuring MAC Address Notification Traps 6-22 Adding and Removing Static Address Entries 6-24 Configuring Unicast MAC Address Filtering 6-25 Displaying Address Table Entries 6-26 Optimizing System Resources for User-Selected Features Using the Templates 6-28 Managing the ARP Table CHAPTER 6-26 6-29 Configuring Switch-Based Authentication 7-1 Preventing Unauthorized Access to Your Switch 7-1 Protecting Access to Privileged EXEC Commands 7-2 Default Password and Privilege Level Configuration 7-2 Setting or Changing a Static Enable Password 7-3 Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery 7-5 Setting a Telnet Password for a Terminal Line 7-6 Configuring Username and Password Pairs 7-7 7-4 Catalyst 3550 Multilayer Switch Software Configuration Guide OL-8565-01 vii Contents Configuring Multiple Privilege Levels 7-8 Setting the Privilege Level for a Command 7-8 Changing the Default Privilege Level for Lines 7-9 Logging into and Exiting a Privilege Level 7-10 Controlling Switch Access with TACACS+ 7-10 Understanding TACACS+ 7-10 TACACS+ Operation 7-12 Configuring TACACS+ 7-12 Default TACACS+ Configuration 7-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 7-13 Configuring TACACS+ Login Authentication 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 7-17 Displaying the TACACS+ Configuration 7-17 7-16 Controlling Switch Access with RADIUS 7-17 Understanding RADIUS 7-18 RADIUS Operation 7-19 Configuring RADIUS 7-20 Default RADIUS Configuration 7-20 Identifying the RADIUS Server Host 7-20 Configuring RADIUS Login Authentication 7-23 Defining AAA Server Groups 7-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 7-27 Starting RADIUS Accounting 7-28 Configuring Settings for All RADIUS Servers 7-29 Configuring the Switch to Use Vendor-Specific RADIUS Attributes 7-29 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 7-31 Displaying the RADIUS Configuration 7-31 Controlling Switch Access with Kerberos 7-32 Understanding Kerberos 7-32 Kerberos Operation 7-34 Authenticating to a Boundary Switch 7-34 Obtaining a TGT from a KDC 7-35 Authenticating to Network Services 7-35 Configuring Kerberos 7-35 Configuring the Switch for Local Authentication and Authorization 7-36 Catalyst 3550 Multilayer Switch Software Configuration Guide viii OL-8565-01 Contents Configuring the Switch for Secure Shell 7-37 Understanding SSH 7-38 SSH Servers, Integrated Clients, and Supported Versions Limitations 7-38 Configuring SSH 7-38 Configuration Guidelines 7-39 Setting Up the Switch to Run SSH 7-39 Configuring the SSH Server 7-40 Displaying the SSH Configuration and Status 7-41 7-38 Configuring the Switch for Secure Socket Layer HTTP 7-41 Understanding Secure HTTP Servers and Clients 7-42 Certificate Authority Trustpoints 7-42 CipherSuites 7-43 Configuring Secure HTTP Servers and Clients 7-44 Default SSL Configuration 7-44 SSL Configuration Guidelines 7-44 Configuring a CA Trustpoint 7-45 Configuring the Secure HTTP Server 7-46 Configuring the Secure HTTP Client 7-47 Displaying Secure HTTP Server and Client Status 7-48 Configuring the Switch for Secure Copy Protocol CHAPTER 7-48 Configuring IEEE 802.1x Port-Based Authentication 8-1 Understanding IEEE 802.1x Port-Based Authentication 8-1 Device Roles 8-2 Authentication Process 8-3 Authentication Initiation and Message Exchange 8-5 Ports in Authorized and Unauthorized States 8-7 IEEE 802.1x Host Mode 8-7 IEEE 802.1x Accounting 8-8 IEEE 802.1x Accounting Attribute-Value Pairs 8-8 Using IEEE 802.1x Authentication with VLAN Assignment 8-9 Using IEEE 802.1x Authentication with Per-User ACLs 8-10 Using IEEE 802.1x Authentication with Guest VLAN 8-11 Using IEEE 802.1x Authentication with Restricted VLAN 8-12 Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass Using IEEE 802.1x Authentication with Voice VLAN Ports 8-14 Using IEEE 802.1x Authentication with Port Security 8-15 Using IEEE 802.1x Authentication with Wake-on-LAN 8-16 8-13 Catalyst 3550 Multilayer Switch Software Configuration Guide OL-8565-01 ix Contents Using IEEE 802.1x Authentication with MAC Authentication Bypass Network Admission Control Layer IEEE 802.1x Validation 8-17 8-16 Configuring IEEE 802.1x Authentication 8-18 Default IEEE 802.1x Authentication Configuration 8-19 IEEE 802.1x Authentication Configuration Guidelines 8-20 IEEE 802.1x Authentication 8-20 VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass 8-21 MAC Authentication Bypass 8-22 Upgrading from a Previous Software Release 8-22 Configuring IEEE 802.1x Authentication 8-22 Configuring the Switch-to-RADIUS-Server Communication 8-24 Configuring the Host Mode 8-26 Enabling Periodic Re-Authentication 8-26 Manually Re-Authenticating a Client Connected to a Port 8-27 Changing the Quiet Period 8-27 Changing the Switch-to-Client Retransmission Time 8-28 Setting the Switch-to-Client Frame-Retransmission Number 8-29 Setting the Re-Authentication Number 8-29 Configuring IEEE 802.1x Accounting 8-30 Configuring a Guest VLAN 8-31 Configuring a Restricted VLAN 8-32 Configuring the Inaccessible Authentication Bypass Feature 8-33 Configuring IEEE 802.1x Authentication with WoL 8-36 Configuring MAC Authentication Bypass 8-36 Configuring NAC Layer IEEE 802.1x Validation 8-37 Disabling IEEE 802.1x on the Port 8-38 Resetting the IEEE 802.1x Configuration to the Default Values 8-38 Displaying IEEE 802.1x Statistics and Status CHAPTER Configuring Interface Characteristics 8-38 9-1 Understanding Interface Types 9-1 Port-Based VLANs 9-2 Switch Ports 9-2 Access Ports 9-3 Trunk Ports 9-3 Tunnel Ports 9-4 Switch Virtual Interfaces 9-4 Routed Ports 9-4 Catalyst 3550 Multilayer Switch Software Configuration Guide x OL-8565-01 ... CNS Configuration 4-13 Catalyst 3550 Multilayer Switch Software Configuration Guide OL-8565-01 v Contents CHAPTER Clustering Switches 5-1 Understanding Switch Clusters 5-1 Cluster Command Switch. .. the Catalyst 3550- 24PWR Switch 1-8 Management Options 1-9 Management Interface Options 1-9 Advantages of Using Network Assistant and Clustering Switches 1-10 Catalyst 3550 Multilayer Switch Software. .. Resource Usage and Configuration Problems Configuration Conflicts 28-44 ACL Configuration Fitting in Hardware 28-45 TCAM Usage 28-47 28-38 28-43 Catalyst 3550 Multilayer Switch Software Configuration